Re: Problems with VPN3005 OS 4.1.7.F and Movian Client

peedee · ‎06-23-2005

I have a VPN Concentrator 3005 which has been running on OS version 4.1.3. I have two types of client which connect with IPSEC/IKE - Cisco clients on Windows XP & Movian VPN clients on Windows CE.

Due to a recently discovered security issue with this version of the OS I upgraded to version 4.1.7F.

After upgrading the 3005 the Cisco clients continued to work fine but the Movian clients were unable to establish a connection. Looking at the event log I notice that both clients complete Phase 1. However after this the Cisco client matches the SA and authenticates (IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 4 Proposal (ESP-3DES-SHA) etc. etc.)

Whereas the movian client does not (see below): any ideas as why this is happening with the new OS version?

7417 06/23/2005 09:52:54.140 SEV=4 IKE/119 RPT=11 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

PHASE 1 COMPLETED

7418 06/23/2005 09:52:54.140 SEV=6 IKE/121 RPT=11 10.63.197.192

Keep-alive type for this connection: None

7419 06/23/2005 09:52:54.140 SEV=6 IKE/122 RPT=7 10.63.197.192

Keep-alives configured on but peer does not support keep-alives (type = None)

7420 06/23/2005 09:52:54.140 SEV=7 IKEDBG/82 RPT=11 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

Starting phase 1 rekey timer: 2700000 (ms)

7422 06/23/2005 09:52:54.140 SEV=9 IKEDBG/0 RPT=702 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

IKE SA AM:86c2b3ae rcv'd Terminate: state AM_ACTIVE

flags 0x00413041, refcnt 1, tuncnt 1

7425 06/23/2005 09:52:54.140 SEV=9 IKEDBG/0 RPT=703

sending delete/delete with reason message

7426 06/23/2005 09:52:54.140 SEV=6 IKE/0 RPT=11 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

Removing peer from correlator table failed, no match!

7428 06/23/2005 09:52:54.150 SEV=9 IKEDBG/0 RPT=704 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

IKE SA AM:86c2b3ae terminating:

flags 0x01413001, refcnt 0, tuncnt 0

7430 06/23/2005 09:52:54.150 SEV=9 IKEDBG/0 RPT=705

sending delete/delete with reason message

7431 06/23/2005 09:52:54.150 SEV=9 IKEDBG/0 RPT=706 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

constructing blank hash

7432 06/23/2005 09:52:54.150 SEV=9 IKEDBG/0 RPT=707

constructing IKE delete payload

7433 06/23/2005 09:52:54.150 SEV=9 IKEDBG/0 RPT=708 10.63.197.192

Group [labuser] User [netPAD-guy-1924V]

constructing qm hash

7434 06/23/2005 09:52:54.150 SEV=8 IKEDBG/81 RPT=278 10.63.197.192

SENDING Message (msgid=8a595645) with payloads :

HDR + HASH (8) + DELETE (12)

total length : 80

7436 06/23/2005 09:52:54.150 SEV=4 AUTH/23 RPT=7 10.63.197.192

User [netPAD-guy-1924V] Group [labuser] disconnected: duration: 0:00:00

7447 06/23/2005 09:52:58.320 SEV=8 IKEDBG/96 RPT=18 10.63.197.192

Received encrypted packet with no matching SA, dropping

haiyingwei · ‎07-13-2005

We had same problem as you after we upgraded concentrator from 4.1.5.B to 4.1.7.F. Our Movian vpn client dropped connection after phase 1 completed.

Did you find work around for your movian client or you downgrade concentrator's OS?

Thanks

peedee · ‎07-13-2005

Sadly I had to downgrade the concentrators OS. I have seen that AnthaVPN are producing the latest version of the client - but this does not run on our client hardware! So at the moment we are stuck on the old OS.

mlew · ‎07-13-2005

Same here, but with version 4.7.1 on a 3030

Can you run the built-in VPNs on PPC and Palm to connect to a VPN 3000?

lrzvpn · ‎07-13-2005

CSCsa65275

This issue is actually a problem with all non-Unity clients. Movian has the ability to be either Unity or pre-Unity -- Unity works fine.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/417ecn3k.htm

We changed the Movian profile from "Cisco VPN 3000" to "Cisco Unity Client", reentered the IKE and IPsec Parameters and the Client was able to connect again.

We noticed a different connection Type. (IPsec over TCP vs IPsec)

mlew · ‎07-14-2005

AWESOME! THANK YOU, I OWE YOU ONE.

Marcelo